DIMSUM: Discovering Semantic Data of Interest From Un-Mappable Memory With Confidence
Uncovering semantic data of interest in memory pages without memory mapping information is an important capability in computer forensics. Existing memory mapping-guided techniques do not work in that scenario as pointers in the un-mappable memory cannot be resolved and navigated. To address this problem, the authors present a probabilistic inference-based approach called DIMSUM to enable the recognition of data structure instances from un-mappable memory. Given a set of memory pages and the specification of a target data structure, DIMSUM will identify instances of the data structure in those pages with quantifiable confidence. More specifically, it builds graphical models based on boolean constraints generated from the data structure and the memory page contents.